Set runAsNonRoot to true on Kourier Gateway

[nak3]

This patch sets runAsNonRoot to false on Kourier Gateway.

As per #272, the setting was necessary as:

• the envoy image wants to run as root.
• the envoy needs write access to the filesystem.

For write access, I could produce the error if I changed readOnlyRootFilesystem to false.

[2022-08-22 07:08:29.879][1][critical][main] [external/envoy/source/server/server.cc:108] error initializing configuration '/tmp/config/envoy-bootstrap.yaml': cannot bind '/tmp/envoy.admin': Read-only file system
[2022-08-22 07:08:29.879][1][info][main] [external/envoy/source/server/server.cc:790] exiting

However, runAsNonRoot could be false without any isssue on OpenShift.
openshift-knative/serverless-operator#1677 verified.

Fix #274

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nak3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nak3]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nak3]

/hold

I think we should not merge at the release day. (Today is the release day.)

[codecov]

Codecov Report

Merging #902 (801378d) into main (f615357) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #902   +/-   ##
=======================================
  Coverage   80.77%   80.77%           
=======================================
  Files          18       18           
  Lines        1233     1233           
=======================================
  Hits          996      996           
  Misses        190      190           
  Partials       47       47           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[knative-prow]

@nak3: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
integration-tests_net-kourier_main	801378d	link	true	/test integration-tests_net-kourier_main

Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[nak3]

Ah, I see. runAsNonRoot: true could work on OpenShift but does not work with upstream envoy image.

  Normal   Scheduled  4m6s                  default-scheduler  Successfully assigned kourier-system/3scale-kourier-gateway-8499649b5b-slm86 to kind-worker
  Warning  Failed     118s (x12 over 4m6s)  kubelet            Error: container has runAsNonRoot and image will run as root (pod: "3scale-kourier-gateway-8499649b5b-slm86_kourier-system(d3c4788b-5e98-4676-a04d-467d86413a1a)", container: kourier-gateway)
  Normal   Pulled     104s (x13 over 4m6s)  kubelet            Container image "docker.io/envoyproxy/envoy:v1.20-latest" already present on machine

[skonto]

@nak3 You could use a specific user like nobody I guess as in projectcontour/contour#4084?

[nak3]

No, because of OpenShift's feature.